Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


K8Toledo

846 posts

Ultimate Geek


#299087 9-Aug-2022 23:24
Send private message

Hi one of my clients is receiving phishing emails from a Spark account.

 

Could someone look into this thanks in advance.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Filter this topic showing only the reply marked as answer Create new topic
Oblivian
6945 posts

Uber Geek

ID Verified

  #2952799 9-Aug-2022 23:39
Send private message

Let us introduce you to sender spoofing...

Look at the email raw data. Not what the client says.
You can put a from address of anything you please if there is not full checking.

That's clearly the flavour of the month to get people calling the call centres now that the baiters make more people aware. Got 5 in my gmail trapped spam yesterday

 
 
 

Learn cloud, mobile, security, data and web technologies with Pluralsight (affiliate link).
K8Toledo

846 posts

Ultimate Geek


  #2952801 9-Aug-2022 23:57
Send private message

Oblivian: Let us introduce you to sender spoofing...

Look at the email raw data. Not what the client says.
You can put a from address of anything you please if there is not full checking.

That's clearly the flavour of the month to get people calling the call centres now that the baiters make more people aware. Got 5 in my gmail trapped spam yesterday
\

 

 

 

My "client" is a person not an email client.

 

 

 

 

EDIT: I screenshoted the wrong email before. Fixed

 

 


Oblivian
6945 posts

Uber Geek

ID Verified

  #2952804 10-Aug-2022 00:08
Send private message

Meant both really. But more the full path within a full email client or external analyser. That looks to be the end of the chain?. Betting there's some relaying above

Both the From, and to, are the same. Screams non verified paths before you even dig there.

But I'm not sure if you've seen previous spam complaints. But unlikely to get far based on a screenshot here

They'll likely want the same thing. And the message has already graced the filter and been flagged.



K8Toledo

846 posts

Ultimate Geek


  #2952805 10-Aug-2022 00:16
Send private message

 

 

 

This is from xtra webmail. Still sent from xtramail although "mcafee" may be an alias.


Oblivian
6945 posts

Uber Geek

ID Verified

  #2952806 10-Aug-2022 00:17
Send private message

Also related..


https://www.geekzone.co.nz/forums.asp?forumid=39&topicid=245179&page_no=15#2902409

K8Toledo

846 posts

Ultimate Geek


  #2952807 10-Aug-2022 00:25
Send private message

I should add I have full authority on the above account so I'm looking at the emails first hand. :)


mattwnz
19388 posts

Uber Geek


  #2952808 10-Aug-2022 00:26
Send private message

The IP 10.23.30.21 doesn't seem to be an xtra one. It seems to be an internal one. 




Oblivian
6945 posts

Uber Geek

ID Verified

  #2952809 10-Aug-2022 00:46
Send private message

mattwnz:

The IP 10.23.30.21 doesn't seem to be an xtra one. It seems to be an internal one. 



It's the tail end bouncing internals

Just like this one from 2019. Note it has very similar headers as the above example appearing as from xtra, but written off as just-so.

https://www.geekzone.co.nz/forums.asp?forumid=39&topicid=245179&page_no=10#2261479

K8Toledo

846 posts

Ultimate Geek


  #2952811 10-Aug-2022 01:04
Send private message

mattwnz:

 

The IP 10.23.30.21 doesn't seem to be an xtra one. It seems to be an internal one. 

 

 

The phishing email came from a Spark xtramail address and I'm not concerned about the phishing attempt I'm concerned that the senders xtramail email account may be hacked.

 

This wouldn't be the first time I've come across this either.

 

Five years ago I discovered  another client's xtramail account was being used to used to send phishing emails. At that time Spark were still with Yahoo so most likely his login details were sold by Russian hackers.

 

The client I first mentioned doesn't even know about this. I noticed the email while transferring the account over to gmail.


K8Toledo

846 posts

Ultimate Geek


  #2952813 10-Aug-2022 02:19
Send private message

OK so looking closely it appears the original sender wasn't xtramail - how did it get forwarded from xtramail account in the second shot?

 

I still think the xtra account has been compromised.

 

 

 

Original

 

 

 

 

Sent to below

 

 

 

 

 


K8Toledo

846 posts

Ultimate Geek


  #2952814 10-Aug-2022 03:39
Send private message

Full path below.

 

So it would seem scammers are using the xtramail account (colinaa.sarahw) to forward phishing emails thereby bypassing spam filters?

 

 

 

Colinaa.sarahw is not on Yvonne's (my client) contact list.

 

 

 

 

 

 


tdgeek
28616 posts

Uber Geek

Trusted
Lifetime subscriber

  #2952817 10-Aug-2022 07:28
Send private message

Sent a test

 

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 

>>> colinaa.sarahw@xtra.co.nz (after RCPT TO): 550 5.1.1 User unknown


K8Toledo

846 posts

Ultimate Geek


  #2952825 10-Aug-2022 08:17
Send private message

Thanks guys for responses. Seems I'm always learning something new here. :)

 

 

 

 

 

 

I gather the only sure way to determine the sender is the first IP at the bottom of header?  Of the 4 hops in what are the 2 local address? Internal mail servers? Why are there two?


freitasm
BDFL - Memuneh
76375 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2952827 10-Aug-2022 08:34
Send private message

The correct answer was already in the first reply. Spoofing is very easy and by itself doesn't indicate a compromised account.





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


cheshirecat
49 posts

Geek


  #2984029 17-Oct-2022 21:44
Send private message

This message originate externally, and spoofed not only the From header but even the message-ID and other headers to make it appear to have originated from the Xtramail platform.

 

This is a problem that will go once Spark activate their SPF Hard Fail and DMARC, as that will cause spoofed messages to be dropped at the border.


Filter this topic showing only the reply marked as answer Create new topic





News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00


Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00


NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27


First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59


Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33


Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48


Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38


Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21


Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50


Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45


Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38


Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17


Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42


Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56


Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







NordVPN